ClawHub

五运灵名

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Chinese metaphysical baby-naming skill, but it asks for sensitive child/family details and gives authoritative fortune, health-adjacent, and lifestyle guidance without privacy or reliance safeguards.

Review before installing. Avoid entering full identifying child or family details unless necessary, and treat the bazi, five-elements, fortune, health-adjacent, and lifestyle advice as cultural or entertainment content rather than a basis for parenting, medical, financial, housing, or other major decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to trigger on many ordinary naming or name-evaluation conversations, which can cause unintended activation and override the assistant’s normal behavior. Because the skill then imposes rigid output requirements, overbroad routing increases the chance of misleading, unwanted, or context-inappropriate responses.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill mandates Chinese-only output and fixed response formatting without checking the user’s language preference, which can produce inaccessible or non-consensual behavior. In a multilingual assistant, this may cause the model to ignore user needs, reduce usability, and create prompt-routing conflicts when the user expects another language or a normal conversational format.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handbook explicitly instructs collection of sensitive personal data, including full name, gender, precise birth date/time, birthplace, and related family information, but provides no privacy notice, minimization guidance, retention limits, consent language, or handling safeguards. In a naming skill, this creates unnecessary privacy risk because the data is sufficient for profiling and may expose a child’s identity and family details if logged, retained, or shared.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The content makes deterministic claims about personality, fortune, and life outcomes based on birth timing and seasonal/astrological factors, including claims that certain birth windows imply emotional instability or greater achievement. In a baby-naming and fate-consultation skill, this can mislead users into making meaningful parenting or identity decisions based on unverifiable pseudoscientific assertions, especially when framed as authoritative guidance.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The document presents gendered phonetic guidance as a normative rule, stating that certain sounds are more suitable for boys and others for girls, without framing it as optional preference. In a naming skill, this can systematically steer outputs toward gender stereotypes and exclude users seeking neutral or nontraditional names.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The '性别适配' principle explicitly instructs that boys' names should be strong and girls' names soft, making gender conformity part of the evaluation checklist. Because this skill is designed to generate and assess baby names, that bias is operationally likely to affect user-facing recommendations rather than remain theoretical.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section gives concrete life-change recommendations such as direction choices, accessories, diet, housing, and naming-based 'remedies' without any clear disclaimer that the guidance is unvalidated, belief-based, and unsuitable for important personal, financial, medical, or family decisions. In the context of a baby-naming and fortune-oriented skill, users may reasonably treat the advice as authoritative and act on it, creating a risk of harmful reliance and manipulation of personal decisions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal